The Linux Page

Tripwire and updates

Wired Train Station, Ready for Your Next Trip?

A week or so ago we updated our Ubuntu server to Intrepid and ran in a problem with tripwire that showed up like this:

tripwire -m u -r <report-file>
### Error: Keyfile Read/Write error.
### /etc/tripwire/site.key
### Exiting...

We tried to renew the key file with the following:

twadmin -m G -S /etc/tripwire/site.key

and it did not make any difference (other than the key file had a new date).

The permissions looked right too (root, u+rw only).

When trying to regenerate the .pol or .cfg we got the same error:

twadmin -m P -p /etc/tripwire/tw.pol /etc/tripwire/twpol.txt
twadmin -m F -c /etc/tripwire/tw.cfg /etc/tripwire/twcfg.txt

And I tried to remove the tw.pol and tw.cfg files (renaming them, really, just in case) and it did not help.

Trying again today (Apr 23, 2018), as somehow the name of the file changed on us. Tripwire decided to use the hostname which has been different for months (over a year now?) and somehow messes up the daily check since it can't find the correct configuration information. I could not run the "-m F" option by itself, I had to specify the site key file too as in:

twadmin -m F -S /etc/tripwire/site.key -c /etc/tripwire/tw.cfg /etc/tripwire/twcfg.txt

This seems to have worked for this minor update. We'll see whether we get the right info tomorrow or not.

In 2009, the one command that would work in regard to the configuration file was:

twadmin -m f -c /etc/tripwire/tw.cfg

That would properly print out the encrypted configuration file.

Finally, we decided to re-initialize the database hoping that the --init command line option would make it work again.

tripwire --init

This command asked us our passphrase that was accepted. Then it started processing the code and it said that the database was properly processed as I expected...

But that did not solve the problem.

So we decided to simply remove everything and reinstall. To do so we did this:

apt-get purge tripwire
cd /etc/tripwire
rm <leftovers>
cd ..
rmdir /etc/tripwire
cd /var/lib/tripwire
rm <leftovers>
cd ..
rmdir /var/lib/tripwire
apt-get install tripwire
tripwire --init

The extra rm commands were used because we had some extra .cya files. This means the /etc/tripwire and /var/lib/tripwire directories did not automatically get wiped out (in case you had some important files there?!)

The tripwire --init at the end regenerates the database which is not automatic with the installation (possibly because it takes a very long time and it should happen AFTER everything else was installed.)

One thing that I did not try is to re-sign the policy file. Maybe that would have helped. You could try with twadmin -m E ... but I was really thinking that would fail too and thus did not even bother.

By the way, we also remove the /proc from the policy file and add a few more directories (which I won't disclose here...) so we can watch what we want to watch. Once you have changed the policy file, do this to make sure it is taken in effect:

twadmin --create-polfile --polfile /etc/tripwire/tw.pol
        --site-keyfile /etc/tripwire/site.key

(This is one long command line! I broke it up so you don't have to scroll left & right, but watch out as a copy & paste won't work all at once.)

Be aware that the command will ask you for your passphrase in order to sign the output file. This is normal, that's how the file is made secure.